Title Page

  • Service Provider Name

  • Conducted on

  • Prepared by

Annual Documents

  • InfoSec Annual Review - Provide your infosec framework (Please email or add in platform)

  • InfoSec Annual Testing - Provide your latest specialist external testing of infosec (Latest Pen Test, SOC2 or ISO27001 Certification - Please email or add in platform)

  • BCP Testing - Provide recent report regime for BCP (Please email or add in platform)

  • Business Impact Assessment (BIA) of critical business processes and critical systems - Please provide your latest BIA

  • DR Testing - Provide DR Report- full documented scope, success criteria and outcomes (Please email or add in platform)

  • Data Protection Policy - Provide you latest data protection policy

Outsourcing

  • Have you onboarded any outsource services in the last period (12 months)?

  • Please details of the services being outsourced

Information Security

  • Have you maintained an information security framework and complied with the relevant legislation?

  • Has your Information Security Controls Framework been reviewed in the last 12 months?

  • Have you become aware of a material weakness in any of your information security controls in the last year?

  • Please provide further details (material weakness information)

  • Have you complied with your Information Security Controls testing program?

  • If you became aware of a critical cyber security incident in the last period, have you complied with all legislative obligations?

  • Please provide further information about the nature of the incident

Business Resilience

  • Have you completed a Business Impact Assessment (BIA) of critical business processes and critical systems in the past 12 months?

  • Do you have a Business Continuity Plan (BCP) for each of the critical business processes determined in your BIA which includes a recovery strategy/plan?

  • Do you have an IT Service Continuity Management (ITSCM) Plan with recovery time and recovery point objectives to align with the BIA?

  • As part of your ITSCM plan, do you have a Disaster Recovery Plan (DRP) for each of the critical systems determined in your BIA?

  • Have all core operating systems used in providing services to us, been continuously available during core business hours during the last 12 months?

Fraud and Corruption

  • Have you reported any suspected or actual misconduct that did or could impact the service you provide us in the last 12 months?

Privacy

  • Have you taken all reasonable steps in the last 12 months to comply with all applicable privacy legislation?

  • Have there been any new processes/projects or changes to current processes that impact the handling and/or processing of personal information related to services you intend to provide SCC?

  • Please provide further information

  • Who is your designated privacy officer?

Data

  • Will our data be stored in NZ, Australia or India?

  • Will our data be accessed by Grappler from NZ, Australia and/or India?

  • Will any personal data be stored or processed in any country other than NZ, Australia or India?

Modern Slavery

  • Do you have policies and processes in place to assist with the identification and eradication of modern slavery in your supply chain network?

  • Have you taken all reasonable steps in the last 12 months to comply with all applicable modern slavery legislation?

  • Do you work or operate within a sector or country that has a heightened risk for modern slavery?

  • Please provide further information

  • Does your company employ migrant workers or other workers who may be vulnerbale to exploitation ?

  • Please provide further information

The templates available in our Public Library have been created by our customers and employees to help get you started using SafetyCulture's solutions. The templates are intended to be used as hypothetical examples only and should not be used as a substitute for professional advice. You should seek your own professional advice to determine if the use of a template is permissible in your workplace or jurisdiction. You should independently determine whether the template is suitable for your circumstances.